BUGFIX: Avoid open_basedir restriction on php binary check

[RafaelKa]

This change will bring up the compatibility for some ISPs( Webhosting Software)

When checking if phpBinaryPathAndFilename exists PHP returns false and logs PHP Warning: file_exists(): open_basedir restriction in effect. File(/usr/local/php56/bin/php) is not within the allowed path(s) on the most (rather all) webhosting platforms(f.x. Plesk).

By using system commands to check file existence inside exec() this behavior can be avoided.

[kdambekalns]

Thanks for the new PR, :+1: by reading.

[dfeyer]

:+1: but no windows setup to test it completly

[RafaelKa]

Do you think http://www.wampserver.com/en/ is Ok for testing it on windows?

[RafaelKa]

Works as expected on Windows :+1:

Tested on Windows machine with ampps with PHP 5.6.17 as follows:

1. Install Ampps

   1.1. Add C:\Program Files (x86)\Ampps\php\php.exe to PATH variable

   1.2. [Bugfix in php.ini] open C:\Program Files (x86)\Ampps\php\php.ini and C:\Program Files (x86)\Ampps\apache\php.ini to replace zend_extension="C:/Program Files (x86)/Ampps\php-5.5\ioncube_loader_win_5.6.dll" with zend_extension="C:/Program Files (x86)/Ampps\php\ioncube_loader_win_5.6.dll" Set memory_limit and max_execution_time properly.

   1.3 [Bugfix for apaches rewrite] open C:\Program Files (x86)\Ampps\apache\conf\httpd.conf file and search for AllowOverride None inside <Directory /> tag (line ~ 226) and change None to all

2. [GIT] install git and choose windows command line and as is everywhere
3. [COMPOSER] install composer as described in https://getcomposer.org/download/ and https://getcomposer.org/doc/00-intro.md#installation-windows tutorials but use --install-dir="C:\Program Files (x86)\Ampps\php\" and create composer.bat in "C:\Program Files (x86)\Ampps\php\" directory also run echo @php "%~dp0composer.phar" %*>"C:\Program Files (x86)\Ampps\php\composer.bat".

4. Install Neos

   4.1. create new domain in Ampps Web GUI and do not forget to attach Web at the end of webroot

   4.2. start cmd as admin and change in directory defined in step 4 but without attachet Web and remove Web folder

   4.3. run composer create-project --no-dev typo3/neos-base-distribution . appy patch from this PR in your preferred way if needed

   4.4. open flow.bat and replace SET PHP=php.exe with SET PHP="C:\Program Files (x86)\Ampps\php\php.exe"

   4.5. insert following in Settings.yaml:

   TYPO3:
     Flow:
       core:
         phpBinaryPathAndFilename: 'C:\Program Files (x86)\Ampps\php\php.exe'

   4.6. uncomment SetEnv FLOW_CONTEXT Production in Web/.htaccess

   4.7. run SET FLOW_CONTEXT=Production & flow.bat flow:cache:warmup and SET FLOW_CONTEXT=Production & flow.bat resource:publish

   4.8. Go to your-doman-from-step-4.1.dev and if you like to import Neos demo site you'll get message about troubles publishing resources, just run SET FLOW_CONTEXT=Production & flow.bat resource:publish and reload the page and then click skip.

   4.9. Enjoy Neos on Wondows, but think about Vagrant or better Docker setup for development :+1:

[aertmann]

Not entirely sure if it's a security issue, but this potentially allows for executing commands if you can define system variables. Shouldn't $phpBinaryPathAndFilename be sanitized with escapeshellarg? /cc @kdambekalns @foerthner

Additionally a new release needs to be tagged (2.0.3) and merged into master for this to be of use to anyone.

Also there was some syntax issues and a spelling error which I fixed with 5b082d7587a2cfa82a2fa906f2f2241f69931de6

[RafaelKa]

Hey @aertmann,

do you have any example, which shows possible vulnerability by defining system variables within $phpBinaryPathAndFilename context?

[aertmann]

@RafaelKa: Hey, looked at it again and can see it's not using a system variable but a PHP constant instead, sorry my bad. However, it also uses the configuration setting TYPO3.Flow.core.phpBinaryPathAndFilename, meaning that if a user has access to write configuration they can execute commands. Being able to write configuration is not completely unlikely and this is certainly not a responsibility of someone making that possible. So better safe than sorry and escape arbitrary input properly for exec calls. Like it's done in https://github.com/neos/flow/blob/master/Classes/TYPO3/Flow/Core/Booting/Scripts.php#L295-L297